I found an excellent SECURITY resource white paper at Oracle Technology Network. It is called "Project Lockdown" by Oracle Ace Arup Nanda. Here is the link:
http://www.oracle.com/technology/pub/articles/project_lockdown/index.html
In particular, I was interested in what Mr Nanda had to say about OS Authentication because it is becoming more of a requirement in companies to keep users from imbeding user and password information in UNIX and SQL applications.
I used to think that OS Authentication removed an additional security control by not forcing an Oracle login and password. However, with the more secure Operating Systems (particularly the big three Sun, HP, and IBM), it becomes a valid option. If your OS is not rock solid and very secure, then I would definitely not use it. If you do use it, then remote OS authentication should be disabled. Disabling remote OS authentication should be a requirement.
This article is definitely required reading. All the procedures in the article should be implemented for the systems you manage. I plan on following these procedures and using this article in my next ET audit.
Thank-you Arup Nanda
No comments:
Post a Comment